Cloud bill gains support as FedRAMP sets JAB approval cap

With Rep. Will Hurd’s (R-Texas) field hearing in San Antonio, Texas last week on the state of federal cloud computing, the challenges around contracting and budgeting for these services remains the biggest obstacle for a wider acceptance.

Most would agree the broad budgetary changes needed for agencies to alter the way they buy isn’t happening anytime soon. But there is a growing acceptance that another approach to funding cloud computing is starting to get some attention on Capitol Hill.

Rich Beutel, a former House Oversight and Government Reform Committee senior staff member and one of the main forces behind the Federal IT Acquisition Reform Act (FITARA), has been circulating a cloud bill  with lawmakers over the last six months. Beutel is modeling his cloud bill from a  funding perspective after the continuous diagnostics and mitigation (CDM) program run by the Homeland Security Department.

Beutel has streamlined his bill to focus on three main areas:

  • The codification of the cloud security program called the Federal Risk Authorization Management Program (FedRAMP) and making it mandatory for all cloud deployments.
  • The creation of revolving working capital funds and broader budget flexibilities for cloud transitions.
  • A requirement for agencies to accelerate their transitions off legacy hardware to new technologies by requiring them to complete operational assessments once a year. A recent Government Accountability Office report found agencies were not doing this and missing out on billions of dollars in savings.

Beutel said he had strong support from at least one member in the Senate and a growing interest from the House.

He wouldn’t go into more details about who or which committees, but it’s pretty safe to assume the logical choices are his old House Oversight committee and the Senate’s counterpart, Homeland Security and Governmental Affairs.

The concept of a working capital fund for cloud transitions is probably the change that agencies are most in need of. Having a pot of money to lean on when turning off old systems and moving them to the cloud would help address a host of systemic issues. Agencies tend not to have “extra” money lying around to make these changes so having a dedicated fund for technology upgrades has shown to work well.

The FedRAMP section also brings up an interesting issue.

While FedRAMP has been successful for the most part, there is a growing frustration on both the vendor and government sides of the effort over the process that many see as too cumbersome.

Several government officials have said vendor’s are not submitting complete cloud packages, which is leading to the 12-18 month average to get through the Joint Authorization Board (JAB). The FedRAMP folks have put the JAB, which is made up of CIOs from DHS, the General Services Administration and the Defense Department, as the gold standard for cloud security authorizations.

At the same time, vendors say the process is expensive and agencies are relying too much on the JAB because they don’t want to pay for their own authorizations or don’t have the expertise to conduct the reviews.

Now, FedRAMP Director Matt Goodrich said the program management office (PMO) can only support, maintain and oversee 50 cloud service provider (CSPs) approvals at any one time.

That limit of 50 cloud service providers shocked several industry experts who follow cloud closely.

Now to be clear, Goodrich said he’s been saying there is a limit for the PMO for some time based on its current set of people and funding, and it doesn’t mean the 50 CSPs are static either.

“We plan to roll JAB authorities to operate (ATOs) to agency ATOs for those CSPs that are not being used governmentwide,” Goodrich said. “We tell them to maintain it and then bring in new governmentwide ATOs.”

He said the JAB is working with about 35 cloud providers so far and there are about another 20 vendors working through the readiness phase to get in front of the authorization board.

Goodrich said the PMO has suggested to OMB that the JAB needs more funding and resources. While that request works its way through the normal process, he said the PMO is piloting a continuous monitoring approach to make it easier to ensure cloud providers are meeting FedRAMP security standards.

“We will be starting next month, using a tool that takes in data from other tools that scan, and then compare the data to FedRAMP parameters,” Goodrich said. “We will be taking on agency ATOs and getting the same information agencies get and pilot it for three months. We want to find out how useful the reports will be and see if we can relieve some of the burden on the JAB and agencies to maintain cloud service provider ATOs.”

He said the pilot also will help determine if the tool, developed for FedRAMP, would be scalable to more CSPs.

In the meantime, Goodrich said the PMO is working with OMB to encourage more agencies to take on ATO approval efforts.

“The program wasn’t built for everything to go through JAB,” he said. “There has been plenty of discussion about whether the JAB should do all of the ATOs, and we can redesign the process to do that, but that requires more money and more people.”

Goodrich said the fastest way to get an ATO is through the agency process.

In fact, Goodrich said the PMO is close to hiring someone whose job will be solely dedicated on helping agencies become better and faster with the ATO process.

The steps Goodrich and FedRAMP are taking to address the challenges of the growing program will help, but it’s obvious that legislative help in the form of a fund or some way to dedicate funding toward cloud migrations is what’s needed to speed up the transition off legacy infrastructure.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

Related Stories